RE: [logs] what is normal ?

• Previous message: Eric Vanborren: "Re: [logs] what is normal ?"
• Maybe in reply to: Ganu Skop: "[logs] what is normal ?"
• Next in thread: Marcus J. Ranum: "RE: [logs] what is normal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Log analysis, in-of-itself, isn't enough.    You need to be able to look for
"abnormal" patterns in log data, couple that with some analysis policies
(sliding time windows, counts, correlation, etc) and be able to query the
end system for false positive analysis.  

Having an IDS that can talk to a Host Assessment product is "a good
thing"(tm), in the sense that if you see abnormal behavior, your IDS can
query the host assessment daemon on the end-client and run "false positive"
check to ensure the activity isn't associated with a malicious user (eg;
check for root kits, hidden directories, etc...),  

Likewise, if you run a light-forensic module, then you can analyze data
offline for possible user infractions (eg; collect user histories, lsof
output, etc).

Dale

======================================
"SUCCESS THROUGH TEAMWORK"
Dale Drew
Director, Global Security/AAA Engineering & Architecture
Level(3) Communications, LLC
720-888-2963 | dale.drewat_private

 




--- Lubomir.Nistorat_private wrote:
> it is good to know what is normal and what not, but
> not many users (or
> "security experts") know that.
> but such log analysis requires lots of time and
> research. I very much
> doubt that there are many companies that have
> sufficient people for the
> job who have sufficient time to do research and
> investigation (if you
> know of any let me know as I'd like to work for
> them)
> 
> windows is pretty painful for log analysis and from
> the info in sec
> eventlog you can't judge if it's an attack or just a
> misbehavior.
> Therefore the list is very useful to have, as people
> don't have to
> reinvent the wheel and solve the prob much sooner.
> 
> 
> lubo
> 
> -----Ursprüngliche Nachricht-----
> Von: Ganu Skop [mailto:skopganuat_private]
> Gesendet: Mittwoch, 23. Oktober 2002 08:01
> An: WindexKing; loganalysisat_private
> Betreff: Re: [logs] Fight Back
> 
> 
> 
> I'm pretty much depend on looking for what is not
> normal (!=normal) so that I could be able to define
> if
> there is an attack or recon or etc.
> Isn't that good if someone have s'thing like what is
> normal and what is not normal ?
> 
> 
> --- WindexKing <WindexKing@mor-lan-d.com> wrote:
> > 
> > > --- Ganu Skop <skopganuat_private> wrote:
> > >>I really would love to know what tool the
> >  >>intruder used. any idea ?
> > 
> > I'm interested in something which I think
> > is at least slightly similar.
> > 
> > I spend a fair bit of time doing OS log
> > analysis mostly for NT/W2K servers. One
> > of the things I've been doing is trying
> > to build up a list of scenarios which
> > cause "attack" patterns within the Sec
> > Logs.
> > 
> > Although, I'm wondering if such a list is
> > a good idea. I'd appreciate any feedback
> > from the list about the potential benefits
> > or drawbacks of such a list.
> > 
> > W 
> > K
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private
> >
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>  
>  
> 
>
***********************************************************
> 
> Oktober-Aktion bei STAR 21 NETWORKS 
>
***********************************************************
> 
> 
> INTERNET ACCESS 3 und 6 Mbit/s vier Wochen gratis
> 
> STAR 21 NETWORKS bietet allen Kunden, die sich im
> Monat
> Oktober für 3 oder 6 Mbit/s INTERNET ACCESS von
> STAR 21 NETWORKS entscheiden, die ersten vier Wochen
> Nutzung gratis.
> 
> Alle weiteren Infos zu dieser Aktion unter: 
> www.star21networks.de
> <http://www.star21networks.de/> , infoat_private
> <mailto:infoat_private>  oder ueber
> unsere Service Hotline Tel. 0 800 - 1 00 73 40.
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis


=====
//skopganu

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Christina Noren: "Re: [logs] Secure Central Log Host"
• Previous message: Eric Vanborren: "Re: [logs] what is normal ?"
• Maybe in reply to: Ganu Skop: "[logs] what is normal ?"
• Next in thread: Marcus J. Ranum: "RE: [logs] what is normal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 12:21:48 PST